Problem solve Get help with specific problems with your technologies, process and projects.

The 'Swiss Army Knife' security tool

The LiSt Open Files command is like a Swiss Army Knife: It has a variety of uses -- for security or utility -- and fits easily in your pocket.

The LiSt Open Files (lsof) command is referred to in many articles on Unix security. Many Unix admins I know have mentioned trying to use it only to find it is not part of their Linux (or other Unix) distribution. This is an often-true statement, because the code is maintained by Victor Abell, of the Purdue University Computing Center, and it is not included in all distributions. Even if it is shipped with the distribution you are using, consider getting the latest release; there have been security issues in various releases (lsof runs setuid to root).

You can easily locate the source via a Web search for 'lsof'. Note that reverse DNS lookup must work for the machine downloading if you go directly to Purdue for the source (highly recommended: Who wants a suspicious security tool?). You can also do the PGP verification in the documentation if you download from a mirror site. Configuration and installation have been simple for all releases (4.5 is current as of this writing), so we will not go there in this short tip. Instead, let's look at the power of, and some uses for, this tool.

For starters, just using lsof without options will list all 'thingies' open, probably way more than you want to sift through, other than for a baseline reference. An important point here is that lsof lists more than just regular files (thus the 'thingie' reference above). The default output includes regular files (denoted by REG), sockets, and memory-mapped files. Using various options, you can select which open files you want listed.

Using lsof as an intrusion-detection tool, you might want to see which files a particularly suspicious or unknown process is using. For example:

   lsof -p pid                (lsof -p 23102)

  Or perhaps a program:
 lsof -c commandname        (lsof -c netscape)

  Or a user:
 lsof -u user-or-uid        (lsof -u sfeet)

  Or even a socket:
 lsof -i protocol:socket    (lsof -i tcp:23)

As a basic precautionary security technique (rather than postmortem or paranoia work), use the -i option without an argument. It lists all open files associated with network connections. The output includes fields for the command or program involved, PID, USER, file descriptor, connection type, device number, protocol used and name (similar to 'netstat -i' naming). This is a good way of finding out connections listening for input that you either are not using, or do not understand (and thus might consider suspicious). Use this data to shut down unused daemons (and listening sockets, which are unnecessary security risks).

For non-security uses, lsof is still worth its disk space and compile time. Example: You want to unmount a filesystem, but unmount reports it in use. To determine 'who' is using it, or which files are in use, try the '+D >directory<' option. This option returns a list of open files, including which user is using each, thus knowing whom to pester if you really need to dismount that filesystem.

If any of this information sounds like something you might want to know, do a Web search for 'lsof', if you want to look into more capabilities before taking the time to download/compile, search for 'lsof manpage'. If this information doesn't interests you at all, then please drop an e-mail about what does interest you.

Fred Mallett is founder of FAME Computer Education, which provides standup delivery of educational classes on a variety of Unix, Linux and Win32 related subjects. Reach him at [email protected]
This was last published in June 2003

Dig Deeper on Alternative operating system security